Mobile Phone Virus Augurs Growing Threat

Ken Dunham of iDefense called the availability of the Cabir source code an ominous sign. "Whenever you see the source code available on the underground, the more likely it is to be exploited," he said.

By Jay Lyman
Dec 29, 2004 10:49 AM PT

Two new variants of the Cabir mobile phone virus have been discovered, indicating that the source code for the virus is available in the malware underground. Even more troubling, the new variants are smarter than the old.

The attackers appear to be following the same path as Internet worm writers, improving upon each other's work and creating more effective and dangerous viruses. That could mean trouble for mobile phones, particularly those that connect to the Internet.

Finnish antivirus firm F-Secure announced it had discovered the two variants, Cabir.H and Cabir.I. Although there were no reports of the software spreading on cell phones, the firm said, the finding points to the growing threat of viruses and worms on mobile phones.

"We have no reports of Cabir.H and Cabir.I in the wild yet," F-Secure said in an update on its site. "However, this is probably only a matter of time, as the virus writer behind these variants has publicly posted them on his Web page."

Quicker Cabirs

F-Secure reported several examples of phone malware during recent weeks. Many of those viruses were Cabir and Skulls variants, which affect Symbian Series 60 phones.

While it explained that the source code for Cabir is "floating around in the underground," F-Secure also indicated that two of the new variants were significant improvements on the original mobile phone virus.

"Cabir originally would only spread to one new phone per reboot," F-Secure said. "Cabir.H and Cabir.I can spread to an unlimited number of phones per reboot."

The variants could spread quite rapidly, sending themselves via Bluetooth wireless connections to vulnerable phones. Once a target phone leaves the area, Cabir.H will find a new target and continue spreading, F-Secure said.

Source of Spread

Ken Dunham, iDefense director of malicious code intelligence, told TechNewsWorld that a well-known group of attackers had indicated plans to release the source code for Cabir in the coming week. The security expert called the availability of source code an ominous sign.

"Whenever you see the source code available on the underground, the more likely it is to be exploited," he said.

Dunham downplayed the immediate threat of the mobile phone viruses and variants, but he said that the attackers -- now working for motives of both notoriety and profit -- are progressing like Internet and e-mail virus writers, who have evolved their threats over the years.

Tech and Trouble Advances

There has long been concern about viruses that spread via mobile phones, and a couple of examples saw limited success. The threat has historically been mitigated, however, by the limited resources -- such as power and bandwidth -- of hand-held devices.

But as mobile phones and personal digital assistants (PDAs) have advanced and been merged to create smart phones that connect to the Internet, they have become more inviting for attackers looking to spread viruses or steal information.

More evidence of the trend came with last month's mobile phone Trojan, a software program that used a Russian Web site to spam mobile phones via short message service (SMS).

Dunham, who echoed other experts in pointing out that those paying for minutes could incur significant costs from such malicious software, said he envisions an increasing amount of spam and other efforts, such as phishing enticements for personal information, to move to the mobile phone platform.

F-Secure, which provides smart phone antivirus software, also forecast more malware for mobile phones, indicating new attacks might include Trojan horses in games, screensavers and other applications.